Ensure Oversight and Effective Safeguards for Privacy, Free Speech

The US government’s credibility as an advocate for Internet freedom is at serious risk unless it ensures that privacy is protected along with security and acts with much greater transparency. There is a real danger that other governments will see US practice as a green light for their own secret surveillance programs. That should be chilling to anyone who goes online or uses a phone.

Kenneth Roth, executive director

(New York) – Recent revelations about the scope of US national security surveillance highlight how dramatic increases in private digital communications and government computing power are fueling surveillance practices that impinge on privacy in ways unimaginable just a few years ago. There is an urgent need for the US Congress to reevaluate and rewrite surveillance laws in light of those technological developments and put in place better safeguards against security agency overreach.

A string of media reports describing secret US surveillance programs underscore the degree to which laws originally designed to track phone records relating to criminal investigations have been expanded to authorize the collection of vast quantities of new forms of data that intrude much more deeply into the private lives of both citizens and non-citizens.

“Existing laws do not seem to have kept up with the threat to privacy and other rights posed by the government’s relatively new capacity to collect and analyze quickly vast quantities of personal information,” said Kenneth Roth, executive director at Human Rights Watch. “Because oversight is secret and inspires little confidence, there is every reason to fear that the scope of surveillance extends far beyond what can be justified by the government’s legitimate interest in addressing terrorist or other security threats.”

A report in The Guardian says intelligence agencies are collecting information from phone companies relating to the calls of millions of people, under orders granted in secret proceedings by the Foreign Intelligence Surveillance Act (FISA) court. The leaked order requires Verizon Business Services, under Section 215 of the Patriot Act, to produce information related to all telephone calls in its systems, both within the United States and between the US and other countries. The order is valid for three months but appears to be regularly renewed.

The information sought is “metadata,” which includes the numbers of both parties to a call, their locations, the time and duration of the calls, and other identifying information. The contents of conversations are not covered, but the government has an ever increasing capacity to analyze metadata to show the caller’s likely identity, social networks, and other patterns or behavior the government may want to target. The Wall Street Journal has reported that the National Security Agency (NSA) is also collecting records from AT&T and Sprint, Internet service providers, and information about credit card transactions. The government’s rapidly growing capacity to cross-reference and analyze this data enables it to paint a stunningly complete picture of the life of almost anyone whose data it picks up.

An article in the Washington Post describes another program under which US Internet companies, including Google, Facebook, and Microsoft, are compelled through secret FISA court orders to facilitate collection of user data and monitoring of communications by US government agencies. Training slides released by the Washington Post indicate that agencies can obtain a range information through the program, including emails, voice chat, photos, and social networking details, from a number of major Internet companies. Subsequent media reports and responses from Internet companies have called into question the exact mechanism that companies are using to facilitate access to information. However, official statements issued June 6 and 8 from the director of national intelligence, James Clapper, confirmed that Internet surveillance activities were being conducted under Section 702 of the FISA Amendments Act. Given the secrecy involved, it is not clear whether these court orders permit vacuuming up data on the same magnitude as the Verizon order.

Companies that receive orders under FISA and the Patriot Act are generally prohibited from disclosing the existence of these orders. The decisions and authorizations of the FISA court are also secret and congressional oversight operates through highly classified and restrictive briefings that prevent broad discussion.

Human Rights Watch is deeply troubled by the apparent lack of any consideration by the US government for the privacy rights of non-US citizens. The US Constitution may have been interpreted to grant privacy rights only to US citizens or people in the United States, but international human rights law recognizes that everyone is entitled to respect for their privacy. With so many electronic communications traveling through the United States, the lack of any regard for the privacy rights of non-US citizens raises very troubling concerns.

“The United States wants to be the Internet capital of the world, but it undermines that status by giving no regard to the privacy rights of anyone who is not a US citizen or physically in the United States,” Roth said.

Congress should reassess whether FISA and the Patriot Act allow the government too much latitude to engage in unjustifiably broad and arbitrary surveillance, Human Rights Watch said. Given concern about the vigor of congressional oversight, Human Rights Watch urged the creation of an independent panel with subpoena power and all necessary security clearances to examine current practices and to make recommendations to ensure appropriate protections for rights to privacy, free expression, and association. The administration should also come forward to the public on the scope and specific controls on its various data surveillance programs.

Human Rights Watch also expressed concern about the precedent these programs might set globally because they could give other governments a rationale for adopting widespread and arbitrary surveillance of phone and Internet activity.

“The US government’s credibility as an advocate for Internet freedom is at serious risk unless it ensures that privacy is protected along with security and acts with much greater transparency,” said Roth. “There is a real danger that other governments will see US practice as a green light for their own secret surveillance programs. That should be chilling to anyone who goes online or uses a phone.”

Background

The US Government’s Response
The US government has defended its surveillance programs, contending that they are legal and necessary for national security. In his June 6 statements, Director of National Intelligence James Clapper said the media stories about the surveillance programs contained unspecified “inaccuracies.” But he did not deny the authenticity of the Verizon order, its sweeping scope, or the existence of a program to collect communications from a range of Internet companies. He emphasized that information disclosure orders are subject to oversight by the Foreign Intelligence Surveillance Court, Congress, and the executive. That oversight includes, he said, “extensive procedures, approved by the court” to restrict who could be targeted, and “minimize the acquisition, retention, and dissemination of incidentally acquired information about US persons.”

However, the exact contours of such targeting or minimization procedures remain unknown, because the entire program and all documents and authorizations related to it remain secret. President Barack Obama also emphasized the need for the surveillance programs, which he said were subject to congressional oversight.

Senator Richard J. Durbin, however, has countered that claim, noting that only a handful of top leaders in Congress are regularly briefed. In 2012, Senators Ron Wyden and Mark Udall also warned that the government’s secret legal interpretation of Section 215 went beyond the public’s understanding of the law and called for greater transparency to ensure more effective oversight.

The US government may have a legitimate interest in engaging in certain types of targeted surveillance for specific periods of time. However, the secrecy of these programs prevents an assessment of whether these measures have proper oversight and whether they unnecessarily impinge on the rights to freedom of expression, association, and privacy, Human Rights Watch said.

“The government essentially is just saying, ‘Trust us, we are only collecting what is necessary.’ But the programs described are secret and apparently so broad that people have good reason to be skeptical of the government’s position,” Roth said.

The public so far has almost no information about how the government is using the data collected, which government agencies have access to the data for how many different purposes, or how long collected data is being retained, Human Rights Watch said.

The law that underpins these programs, FISA, has been challenged for its chilling effect on freedom of expression. In 2008, Human Rights Watch joined Amnesty International and other human rights and labor organizations to challenge the constitutionality of section 702 of the FISA Amendments Act. The groups contended that secret surveillance of electronic communications between people in the US and people abroad undermines the work of rights defenders. The groups also asserted that a surveillance law that allows a secret court to approve the collection of potentially large amounts of sensitive information without particularized assessment is unconstitutional. In its February 26 opinion in Clapper v. Amnesty, the Supreme Court rejected the challenge based on lack of standing – because the surveillance was secret, the organizations could not prove that they were under surveillance – effectively shielding the United States’ national security surveillance policies from judicial review.

Regardless of the status of current surveillance programs under US domestic law, the practices raise grave challenges to international human rights, including freedom of expression and information, freedom of association, and privacy, Human Rights Watch said.

In his report to the UN Human Rights Council in April, the special rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, warned that powerful new electronic surveillance techniques require countries to “update their … regulation of communications surveillance and modify their practices in order to ensure that individuals’ human rights are respected and protected,” including the rights to privacy and freedom of expression.

La Rue specifically cited FISA as an example of how “vague and unspecified notions of ‘national security’” have justified “blanket exceptions to the requirement for judicial authorization” and “invasive limitations on the enjoyment of human rights.” La Rue also warned that such surveillance measures have also involved “unnecessary secrecy around investigations or law enforcement activities, undermining the principles of transparency and accountability.”

La Rue also said that laws like FISA may raise issues of extra-territorial surveillance and expressed concern about the “inability of individuals to know that they might be subject to foreign surveillance, challenge decisions with respect to foreign surveillance, or seek remedies.” In approving orders for disclosure of user information, the FISA court is directed to consider the constitutional rights of people in the US, but not the rights of foreign nationals outside the US.

In a June 3 statement to the Human Rights Council, the US declined to “endorse all of the conclusions of the report, including those related to the nature of privacy rights and the test for permissible infringements on privacy.”

The Companies’ Response
Much of the data monitored came from commercial services and the actual role of companies is not fully known. Human Rights Watch understands that such orders are secret and prohibit the companies from disclosing information about them. In separate public statements, Google, Yahoo!, and Facebook asserted that they do not provide “direct access” to company servers. They also said that have never received bulk orders for information disclosure like the Verizon order, and that they review each government request for user data and will only fulfill the request if it is lawful.

The responses, however, still leave the public in the dark as to how often such disclosures are made, the scope of information disclosed, and whether the companies have ever objected to or challenged disclosure orders. Human Rights Watch has reached out to companies identified by the Guardian directly, but has received no responses that went beyond existing public statements.

Recipients of FISA court orders are generally prohibited from disclosing the existence of the order. Under Section 702, the government can compel Internet companies to provide “all information, facilities, or assistance necessary” to acquire intelligence information. The authorization may run for up to one year. Companies that receive a FISA order can challenge its legality in the FISA court, but would still be gagged unless the court allows disclosure. Thus, public information about any challenges may be very limited if they are occurring.

Several companies have challenged other kinds of security gag orders under US law. Twitter successfully challenged a gag order related to a request for user data in the US government’s Wikileaks investigation so that the company could notify affected users. Google has challenged in federal court the use of National Security Letters that compel disclosure of user data, which are also served under gag order. In addition, on June 11, 2013, Google released an open letter to Attorney General Eric Holder and the Federal Bureau of Investigation director, Robert Mueller, requesting authorization to report on the number and scope of FISA requests it receives as part of the firm’s regular transparency reporting.

In response to company denials that they may have provided “direct access” to their servers, the Washington Post updated its coverage to cite another classified report that described the arrangement as “allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.”

A New York Times article described meetings between Internet companies and national security officials to discuss how companies might develop more efficient and secure methods to respond to requests for data. This suggests Internet companies may have some choice in how to structure compliance with FISA orders. To the extent companies have some ability to control how to respond, it is incumbent on companies to exhaust their options to safeguard privacy given the inherent secrecy of the proceedings, Human Rights Watch said.

Some of the companies named in media reports, such as Google, Microsoft, Yahoo!, and Facebook are also members of the Global Network Initiative (GNI). GNI is a global, multi-stakeholder initiative intended to safeguard free expression and privacy online. Human Rights Watch is a founding member of this effort.

“Internet companies have a responsibility to resist arbitrary, sweeping, and invasive efforts to collect information about their users, and some of these companies have made explicit commitments to do so,” Roth said. “They need to be as transparent as the law allows and if they are gagged, they should press for greater transparency through legal challenges or by reporting aggregate data on requests they receive.”